Rule History

SID: 2022923 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 2 • Jun 29, 2016, 12:00 PM

Message:

ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, cve CVE_2016_2209, confidence Low, signature_severity Major, updated_at 2019_07_26;)

Created:

Jun 29, 2016, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Jun 29, 2016, 12:00 PM

DB Updated:

Sep 13, 2024, 3:01 PM

Filename:

rules/emerging-exploit.rules